Solved

Supernetting: Combining A-Class IP address with C-Class IP Address

Posted on 2003-12-10
16
859 Views
Last Modified: 2007-12-19
Hi there,
I'm trying to setup a network containing:
 a Sun server with private IP 192.1.1.1
 several hosts with private IP 192.168.2.x
 a hubswitch
 a linux server as a gateway to the internet, with LAN iface IP 192.168.3.254 and WAN iface.

everything working except the hosts cannot ping to Sun Server. Can it be solved by modifying routing table in the linux gateway? I dont have more router to split the server from the hosts network.
The IP address of Sun Server cannot be changed because of that IP have been Hard-Coded into internal accounting system build by Software Department, and they dont want to modify their source.
Thanks in advance.
0
Comment
Question by:m98yahya
  • 7
  • 5
  • 4
16 Comments
 
LVL 4

Assisted Solution

by:Jivko
Jivko earned 25 total points
ID: 9918703
Yes it is possible

There is two ways

On the linux router:

assign IP address 192.168.1.2 to the ethernet interface

ifconfig eth0:1 192.1.1.2 netmask 255.255.255.252 broadcast 192.1.1.3

Or just add a static route to Sun

By iproute2:
ip route add 192.1.1.1 dev eth0

By old route:
route add 192.1.1.1 dev eth0


Regards





0
 

Author Comment

by:m98yahya
ID: 9932568
thanks jivko, i'll try it tomorrow as the office closed in friday and saturday.
0
 
LVL 5

Expert Comment

by:brabard
ID: 9933750
It is very interesting what happen with your addressing . Your Sun's A-class ip address is a public one , so it can be routed trough the Net . I believe you didn't post the real address here :))
The second thing - once you have private ip address 192.168.3.x in your internal iface , how host belonging to another network - 192.168.2.x are connected to network ?
0
 

Author Comment

by:m98yahya
ID: 9936092
Hi Brabard,
 Nice to get your comment, actually thats the real ip! ;). I'm working for system integrator company, as system analyst (programming). This is my first job in networking, so i need to learn a lot. Please guide me.
I know my customer use public ip, owned by bbn.com. The problem is they dont want to change the ip number as it require a lot of work (at their part).
Is it possible to access the sun server from outside, just because the ip is valid? I've setup a firewall so all access to internet must go through it.

Your second comment is more interesting. as a matter of fact, the customer want use 192.168.3.x for fix ip nodes, and 192.168.2.x for dynamic ip nodes, all in the same switch. so I'll going to combine 192.168.3.x, 192.168.2.x and 192.1.1.1 in one LAN. Do I need to set route as jivko told me for 192.168.2.x too?

lastly, what topic/article/book you recommend me to refer.
Thanks a lot to you guys
Best regards,
0
 

Author Comment

by:m98yahya
ID: 9936732
I've try both solutions but still fail
0
 
LVL 4

Expert Comment

by:Jivko
ID: 9940503
Did you try this:
ip route add 192.1.1.1 dev eth0

??

0
 
LVL 5

Accepted Solution

by:
brabard earned 25 total points
ID: 9940813
Well some basic things about routing .
You know the policy is simple - when some packet is received from router , it check its destination address for matches in routing table . First go to directly connected networks , then to static routes , then to the dafault gw .
So , if Sun is somewhere after WAN interface and it hase public ip address , assuming this interface is your default gateway , you don't need static routes , you need only source natting .
That means , you are changing private ip address 192.168.3.x with your public one belonging to WAN interface and deliver that packet to the external net - the other routers must deliver it to the destination .

The other situation is if you don't have public ip address in WAN interface , or the path to Sun is not via that interface . In that case you have to use static routing , as is shown by Jivko .
0
 

Author Comment

by:m98yahya
ID: 9954573
Hi guys, today I try to make the problem simple. I want to combine 172.25.123.x with 192.1.1.x
i use smoothwall pendolino for the linux box, using 2 NIC, configured as:
eth0: 172.25.123.234/24 broadcast at 172.25.123.255 (this is for LAN iface)
eth1: 172.26.123.234/24 broadcast at 172.26.123.255 (this iface is connected to ADSL modemrouter. my internet connection is ok)

now i try to make an alias for eth0 with ifconfig:
ifconfig eth0:1 192.1.1.234 netmask 255.255.255.0 broadcast 192.1.1.255

my ifconfig show:

[root@smoothwall root]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:04:76:8D:7F:C0  
          inet addr:172.25.123.234  Bcast:172.25.123.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:565340 errors:0 dropped:0 overruns:1 frame:0
          TX packets:173947 errors:0 dropped:0 overruns:0 carrier:6
          collisions:151 txqueuelen:100
          RX bytes:62145247 (59.2 Mb)  TX bytes:172310064 (164.3 Mb)
          Interrupt:5 Base address:0x7400

eth0:1    Link encap:Ethernet  HWaddr 00:04:76:8D:7F:C0  
          inet addr:192.1.1.234  Bcast:192.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5 Base address:0x7400

eth1      Link encap:Ethernet  HWaddr 00:40:05:10:69:2C  
          inet addr:172.26.123.254  Bcast:172.26.123.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:168957 errors:0 dropped:0 overruns:0 frame:0
          TX packets:540111 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:169192024 (161.3 Mb)  TX bytes:59181830 (56.4 Mb)
          Interrupt:10 Base address:0x7000

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:166 errors:0 dropped:0 overruns:0 frame:0
          TX packets:166 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:23034 (22.4 Kb)  TX bytes:23034 (22.4 Kb)


my route show:

[root@smoothwall root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.25.123.0    *               255.255.255.0   U     0      0        0 eth0
192.1.1.0       *               255.255.255.0   U     0      0        0 eth0
172.26.123.0    *               255.255.255.0   U     0      0        0 eth1
default         172.26.123.234  0.0.0.0         UG    0      0        0 eth1


the 192.1.1.0 line have been added automatically.

as u see, my ifconfig print eth0:1 for 192.1.1.234, but in my route, it say 192.1.1.0 is using eth0.
-now i can ping to 192.1.1.x. from linux box.
-host using 192.1.1.x (which gateway is set to 192.1.1.234) can ping to linux box, can access internet but cannot ping to 172.25.123.x

my sysctl net.ipv4.ip_forward show:
net.ipv4.ip_forward=1

help me please.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 4

Expert Comment

by:Jivko
ID: 9955267
From host using 192.1.1.x try to ping 172.25.123.234-eth0 on the linux box and say if you can
0
 
LVL 5

Expert Comment

by:brabard
ID: 9955291
Well , everything seems ok exept of your kernel filtering . What Linux distro ? What is the output from iptables-save ?
0
 

Author Comment

by:m98yahya
ID: 9955555
Yes, i can ping from 192.1.1.x  to 172.25.123.234, 172.26.123.234 and 192.1.1.234

how to see what linux distro? i try uname -a and get:
Linux smoothwall 2.4.22 #4 Mon Sep 1 17:13:58 BST 2003 i686 i686 i386 GNU/Linux

i try iptables-save but :
-bash: iptables-save: command not found

is it normal to get eth0 instead of eth0:1?

thank you very much in advance
0
 
LVL 4

Expert Comment

by:Jivko
ID: 9955991
Set the default gateway of the machines in 172.25.123.x subnet to be 172.25.123.234. Or add a static route to 192.1.1.x:
Win:
route ADD 192.1.1.0 MASK 255.255.255.0  172.25.123.234 -p

*NIX:
ip route add 192.1.1.0/24 via 172.25.123.234
0
 

Author Comment

by:m98yahya
ID: 9956502
i was set the gateway like that since before, and cannot ping to the other subnet. now i try to add route from a win98 pc 172.25.123.x using:
 route ADD 192.1.1.0 MASK 255.255.255.0  172.25.123.234 -p

it seem not working, maybe it is because -p, so i try
route ADD 192.1.1.0 MASK 255.255.255.0  172.25.123.234 METRIC 2

now it is added into routing table:
C:\WINDOWS\Desktop>route print

Active Routes:

  Network Address          Netmask  Gateway Address        Interface  Metric
          0.0.0.0          0.0.0.0   172.25.123.234   172.25.123.206       1
          0.0.0.0          0.0.0.0   172.25.123.254   172.25.123.206    1000
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1       1
     172.25.123.0    255.255.255.0   172.25.123.206   172.25.123.206       1
   172.25.123.206  255.255.255.255        127.0.0.1        127.0.0.1       1
   172.25.255.255  255.255.255.255   172.25.123.206   172.25.123.206       1
        192.1.1.0    255.255.255.0   172.25.123.234   172.25.123.206       2
        224.0.0.0        224.0.0.0   172.25.123.206   172.25.123.206       1
  255.255.255.255  255.255.255.255   172.25.123.206          0.0.0.0       1

try ping to 192.1.1.x... still get Request timed out :(
----------------------------------------------------------------------------------------
Is it because my iptables rules? it is created by smoothwall. is the 'disable spoofing' feature make the firewall deny route back packets?

[root@smoothwall root]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination        
ipac~o     all  --  anywhere             anywhere          
ipblock    all  --  anywhere             anywhere          
ipblock    all  --  anywhere             anywhere          
ipblock    all  --  anywhere             anywhere          
advnet     all  --  anywhere             anywhere          
advnet     all  --  anywhere             anywhere          
advnet     all  --  anywhere             anywhere          
spoof      all  --  anywhere             anywhere          
spoof      all  --  anywhere             anywhere          
spoof      all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
secin      all  --  anywhere             anywhere          
block      all  --  anywhere             anywhere          
LOG        all  --  anywhere             anywhere           LOG level warning
REJECT     all  --  anywhere             anywhere           reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ipac~fi    all  --  anywhere             anywhere          
ipac~fo    all  --  anywhere             anywhere          
ipblock    all  --  anywhere             anywhere          
ipblock    all  --  anywhere             anywhere          
ipblock    all  --  anywhere             anywhere          
secout     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
portfwf    all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
LOG        all  --  anywhere             anywhere           LOG level warning
REJECT     all  --  anywhere             anywhere           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
ipac~i     all  --  anywhere             anywhere          

Chain advnet (3 references)
target     prot opt source               destination        

Chain block (1 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere          
xtaccess   all  --  anywhere             anywhere          
ipsec      all  --  anywhere             anywhere          
ipsec      all  --  anywhere             anywhere          
ipsec      all  --  anywhere             anywhere          
ACCEPT     icmp --  anywhere             anywhere          
ACCEPT     icmp --  anywhere             anywhere          
ACCEPT     icmp --  anywhere             172.26.123.0/24    

Chain dmzholes (0 references)
target     prot opt source               destination        

Chain ipac~fi (1 references)
target     prot opt source               destination        
           all  --  anywhere             anywhere          
           all  --  anywhere             anywhere          

Chain ipac~fo (1 references)
target     prot opt source               destination        
           all  --  anywhere             anywhere          
           all  --  anywhere             anywhere          

Chain ipac~i (1 references)
target     prot opt source               destination        
           all  --  anywhere             anywhere          
           all  --  anywhere             anywhere          

Chain ipac~o (1 references)
target     prot opt source               destination        
           all  --  anywhere             anywhere          
           all  --  anywhere             anywhere          

Chain ipblock (6 references)
target     prot opt source               destination        
REJECT     all  --  cs73.msg.sc5.yahoo.com  anywhere           reject-with icmp-port-unreachable
REJECT     all  --  216.136.0.0/16       anywhere           reject-with icmp-port-unreachable
LOG        all  --  www.friendster.com   anywhere           LOG level warning
REJECT     all  --  www.friendster.com   anywhere           reject-with icmp-port-unreachable
LOG        all  --  UNKNOWN-66-163-160-0.yahoo.com/19  anywhere           LOG level warning
REJECT     all  --  unknown-66-163-160-0.yahoo.com/19  anywhere           reject-with icmp-port-unreachable

Chain ipsec (3 references)
target     prot opt source               destination        
ACCEPT     udp  --  anywhere             anywhere           udp dpt:isakmp
ACCEPT     gre  --  anywhere             anywhere          
ACCEPT     ipv6-crypt--  anywhere             anywhere          

Chain portfwf (1 references)
target     prot opt source               destination        

Chain secin (1 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          

Chain secout (1 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          

Chain spoof (3 references)
target     prot opt source               destination        
DROP       all  --  172.25.123.0/24      anywhere          

Chain xtaccess (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
0
 
LVL 5

Expert Comment

by:brabard
ID: 9964627
Ophh , how could it work at all:))
I lost my self in your kernel filtering rules . And I guess in mangle and nat tables the situation is the same .
Let you specify what you need as network flows and will help you to build iptables from begiining .
0
 
LVL 5

Expert Comment

by:brabard
ID: 9964635
Btw , why your windows machine have two default gateways ?
0
 

Author Comment

by:m98yahya
ID: 9980112
did you mean this line?:
 172.25.255.255  255.255.255.255   172.25.123.206   172.25.123.206       1

172.25.123.206 is my windows machine ip address. this line was added by windows automagically :)

I'm sorry, i afraid i cannot reduce the rules as it is generated by smoothwall. I can manipulate it through smoothwall web application interface, but not directly (at least for now).

as I cant solved the problem completely, i have to find a work around so my customer dont flame me :) Actually they used Linux router project (LRP) as router and firewall before, and its work. so i just reconfigure the LRP machine to support several more subnets. If they need better control on their firewall, i will connect the LRP to smoothwall box, so the LRP will act as router and smoothwall will act as firewall.

Anyway I still dubt that the problem are my filtering rules. I'll try to study how its work, but for now i can sleep tight....

Lastly, thank you very much for you guys especially for brabard and jivko. I'l split the point to you two.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now